CVE-2026-2526
Remote Command Injection in Wavlink WL-WN579A3 multi_ssid Function
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-wn579a3_firmware | to 2021-02-19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2526 is a command injection vulnerability found in the Wavlink WL-WN579A3 wireless router firmware up to version 20210219.
The flaw exists in the multi_ssid function within the /cgi-bin/wireless.cgi file, specifically in the handling of the SSID2G2 parameter.
An attacker can manipulate the SSID2G2 argument with crafted input to inject arbitrary commands, which the device improperly neutralizes.
This vulnerability allows remote attackers to execute commands on the device without authentication.
The exploit has been publicly disclosed and is available in public repositories.
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality, integrity, and availability of the affected device.
Because it allows remote command execution without authentication, an attacker can take control of the router remotely.
Such control could lead to unauthorized access to network traffic, disruption of network services, or use of the device as a foothold for further attacks.
There are no known countermeasures or vendor patches, so the affected device should be replaced to mitigate risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Wavlink WL-WN579A3 router is running firmware version up to 20210219 and if the /cgi-bin/wireless.cgi endpoint is accessible.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves command injection via the SSID2G2 parameter, detection can involve sending crafted HTTP requests to the /cgi-bin/wireless.cgi endpoint with manipulated SSID2G2 values and observing if arbitrary commands are executed.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the resources, but network administrators can use tools like curl or wget to send test requests, for example:'}, {'type': 'list_item', 'content': 'curl -v "http://<router-ip>/cgi-bin/wireless.cgi?SSID2G2=;id"'}, {'type': 'list_item', 'content': 'curl -v "http://<router-ip>/cgi-bin/wireless.cgi?SSID2G2=;uname -a"'}, {'type': 'paragraph', 'content': 'If the response contains output from these commands (like system information), it indicates the device is vulnerable.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or patches available from the vendor, as Wavlink did not respond to the vulnerability disclosure.
The recommended immediate mitigation is to replace the affected device with a non-vulnerable model.
Additionally, network administrators should consider isolating the vulnerable device from untrusted networks and monitoring for suspicious activity targeting the /cgi-bin/wireless.cgi endpoint.